Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Managing Reputational Risks Across the Enterprise

Too often, managing reputational risk is a task left for individual functions, without a unified channel to the board and C-suite executives. Social media, however, is creating an imperative for many organizations to take a consistent, broader and strategic approach to managing reputational issues, starting with a fully dedicated chief risk officer (CRO). Henry Ristuccia, a Deloitte Advisory partner in Deloitte & Touche LLP, and Global Governance, Regulatory and Risk leader, Deloitte Touche Tohmatsu Limited, discusses the importance of viewing reputation as an asset that contributes value and what the C-suite can do to protect it.

Henry Ristuccia

Q: What can organizations do to better protect their reputation from risk and why should they?

Henry Ristuccia: First, the top of the organization’s house—the board, the C-suite and the CEO—really needs to come to terms with reputation as a critical element that drives the organization’s value and so requires active management. If impaired, reputation could potentially harm value. So the dialogue needs to begin at that level, which I don’t think many organizations spend the time thinking about. Often, organizations recognize that they need to do this only after they’ve had a significant problem.

Second, the social-mobile-big data world we live in moves the issue of reputation at nanospeed. There must be mechanisms in place to monitor what is being said online, and this goes well beyond sentiment. But the other side of that question is, how do you put in mechanisms that are appropriate for the day and age? The solution needs to be technologically appropriate and flexible. Organizations can’t be risk sensing for everything all the time. Rather, they need to fine-tune their risk-sensing capabilities to capture what they are sensitive to at the moment. They need to ask, “How are we calibrating our radar for this?”

Q: Are boards and C-suite executives making the connection between reputation and shareholder value?

Henry Ristuccia: There is an increasing recognition that reputation is a valuable asset, but there is room for improvement. Our Reputation@Risk survey of more than 300 C-level executives around the world found that 87% of respondents rate reputation risk as “more important” or “much more important.” And 88% say they are explicitly focusing on reputation risk as a key business challenge. Further, the vast majority of organizations, more than 76%, say that they are better than average with respect to reputation. I think there may be a false sense of confidence because when asked what they are doing about it, many can’t point to anything demonstrable. That can lead to major difficulties when a crisis sets in, which again, can take a toll on reputation.

Q: What is changing in terms of the C-suite and the board’s views of social media and monitoring intelligence?

Henry Ristuccia: Looking back a few years, it was common for the board to view social media as something that needed a policy to govern its use, which is far too limiting a view. Today, more and more board members, as well as senior executives, are seeing the value that social media can provide. After all, social media is not only about what an organization’s employees are saying. It is also about the media, the organization’s business partners, its customers, competitors and other stakeholders and what they are doing, as well as what society is saying. Social media enriches big data. I think board members are beginning to recognize that there is an opportunity to mine some of that information, use it as a scope to perceive what’s happening in the marketplace and manage risk. And some increasingly understand the power of social media as a value-generating tool, as well as its ability to disrupt businesses.

Q: What experience and investments might be needed to manage social media and other risks strategically?

Henry Ristuccia: It takes a CRO or another C-suite executive to manage this whole issue of reputation, brand and risk management as a primary responsibility—not a part-time venture. Although organizations are recognizing they need to have dedicated CROs, the numbers are growing at a slow pace, except where the role is legislated or regulatory driven, as in the case of banks. It’s not uncommon to find risk management under CFOs, yet they often don’t have the time to spend on the transformational element of risk across the enterprise, which can include tying risk to overall corporate strategy and then using that intelligence to access new business opportunities. In other cases, the role of the CRO can end up attached to legal counsel or the chief accounting officer, which can be constraining or limiting.

Whoever is in charge of creating a strategic risk program should be thinking about how to put in the risk management framework, what is that language, and then determining the technology tools needed to have a more proactive risk radar in place, such as a risk dashboard with data refreshed on a regular basis, as well as game theory and scenario planning. That’s where the key investments should be. And there should be an investment by the board and the C-suite in terms of the mindshare they spend on risk—talking about risk and what the organization might need to monitor and plan for risks that could damage the organization’s reputation. It’s a way of thinking about strategic risk as a continuous loop.

Q: Some organizations lack a unified voice regarding social media, with marketing going one way, for example, and corporate communications another. How can organizations address that challenge?

Henry Ristuccia: That’s where the CRO comes in. It’s the synergy of the brands that shareholders value—the collective—so the organization needs to settle on a common view and approach across functions, divisions and other parts of the business, and that should be captured in a common dashboard. That’s the call to action for the CRO to ask, “What’s corporate communications doing? What’s PR doing? What’s legal doing? Now, how do we bring it all together?”

Without the CRO function, that effort is generally ad hoc at best and often doesn’t harness the value of the collective. At worst, the effort can be disjointed and confusing to the senior stakeholders, the CEO and board members.

Related Deloitte Insights

Today’s business models are exposed to an increasing number of potential digital disruptions that can be costly to an organization’s brand and reputation and quickly escalate to the C-suite or board level. Meanwhile, many legacy disaster recovery programs, based mainly on the principle of redundancy, only address part of the challenge. A more comprehensive approach, known as technical resilience, can be more effective. This “always on” strategy continually monitors and tracks potential risks and can help organizations avoid disruptions by focusing on proactive measures, innovative architecture design and operational excellence.

For many organizations, risk management tends to have a more operational than strategic focus. In contrast, organizations that align strategy and risk are likely to be able to exercise “strategic resiliency," which is the ability to anticipate, identify and act on risks when introducing or executing new strategies. That may increase the chances of success—even amid uncertainty. Viewing strategy through a risk lens can help organizations understand which risks provide opportunities for long-term value creation and which risks should be protected against.

To succeed in today’s world, leaders have to welcome and embrace high-stakes uncertainty. For the prepared organization, uncertainty can provide opportunity to distance themselves from the competition, and leaders who embrace and view risk more broadly than just compliance will anticipate better, seize opportunity and emerge stronger. Learn questions executive teams should consider to find out if they are prepared for the next industry disruption, natural disaster, competitive attack, product recall or activist investor.

Views & Analysis

Many executives believe that the manufacturing sector is vulnerable to emerging and dynamic cyber risks, given the industry’s pace of technology change due to innovations in shop floor automation and connected products, according to a study by Deloitte and The Manufacturers Alliance for Productivity and Innovation (MAPI). Learn about escalation frameworks and the type of leadership and talent that are needed to address cyber risks effectively, as well as questions boards can ask to determine how cyber risks are being detected, managed and mitigated.

For the travel, hospitality and leisure sector, external shocks—such as terrorist attacks and the Zika epidemic—are impacting consumer travel decisions and reshaping their travel preferences. At the same time, the sector is increasingly vulnerable to internal risks such as food safety and cybersecurity. Understand how risk management in the sector is being balanced with the need to innovate, and what boards of directors are doing to become more engaged in risk oversight.

The anti-bribery management standards issued by the Geneva-based International Organization for Standardization (ISO) provide automotive companies, as well as global organizations in other sectors, with new guidance and tools that could potentially help mitigate the risks and costs of noncompliance with anti-bribery laws. Learn about the global nature of the new ISO guidance, as well as other considerations for any organization considering incorporating it into their ethics and compliance program.

Editor's Choice

Boards and C-suite executives overwhelmingly see risk as having an important role in value creation, but just 17% of respondents say they are actively using risk to drive returns, according to a new global survey from Deloitte. The survey also found that senior stakeholders want chief risk officers to spend significantly more time playing the strategist role, with a majority of respondents saying their risk officers should participate more in setting the strategic direction of the company and aligning risk management strategies accordingly.

Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.

Identifying and managing strategic risks can be a difficult task. To add to the challenge, many companies have traditionally separated their risk and strategy functions and think of risk as more of a compliance responsibility rather than a dynamic tool for value creation, business performance management and growth. However, companies that align strategy and risk can be better served to allow for a process of “strategic resiliency,” which involves anticipating, knowing and acting on risks when introducing or executing new strategies as a way of increasing the chances of success in spite of uncertainty.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.